License scanning (thus container building) fails in non-vendor-ed repo

Repro:

Take this repo:

[hi on] jingyuanliang@jingyuanliang:/tmp$ git clone https://github.com/thockin/go-build-template.git
Cloning into 'go-build-template'...
remote: Enumerating objects: 526, done.
remote: Counting objects: 100% (320/320), done.
remote: Compressing objects: 100% (101/101), done.
remote: Total 526 (delta 218), reused 265 (delta 204), pack-reused 206
Receiving objects: 100% (526/526), 305.65 KiB | 3.97 MiB/s, done.
Resolving deltas: 100% (304/304), done.
[hi on] jingyuanliang@jingyuanliang:/tmp$ cd go-build-template/

Add reference to a third-party package; tidy, but do not vendor:

[hi on] jingyuanliang@jingyuanliang:/tmp/go-build-template$ vim cmd/myapp-1/main.go 
[hi on] jingyuanliang@jingyuanliang:/tmp/go-build-template$ git diff
diff --git a/cmd/myapp-1/main.go b/cmd/myapp-1/main.go
index d5d2cc7..cdcf8f9 100644
--- a/cmd/myapp-1/main.go
+++ b/cmd/myapp-1/main.go
@@ -21,6 +21,8 @@ import (
        "log"

        "github.com/thockin/go-build-template/pkg/version"
+
+       _ "k8s.io/apimachinery/pkg/api/errors"
 )

 func main() {
[hi on] jingyuanliang@jingyuanliang:/tmp/go-build-template$ go mod tidy
go: finding module for package k8s.io/apimachinery/pkg/api/errors
go: found k8s.io/apimachinery/pkg/api/errors in k8s.io/apimachinery v0.28.1

Now try to build the container, and it fails:

[hi on] jingyuanliang@jingyuanliang:/tmp/go-build-template$ make container
# building for linux/amd64
go: downloading k8s.io/apimachinery v0.28.1
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.2.3
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd
go: downloading k8s.io/klog/v2 v2.100.1
go: downloading k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
go: downloading github.com/google/gofuzz v1.2.0
go: downloading golang.org/x/net v0.13.0
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading github.com/json-iterator/go v1.1.12
go: downloading github.com/go-logr/logr v1.2.4
go: downloading github.com/modern-go/reflect2 v1.0.2
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading golang.org/x/text v0.11.0
binary: bin/linux_amd64/myapp-1  
go: downloading github.com/google/go-licenses v1.6.0
go: downloading github.com/spf13/cobra v1.6.1
go: downloading github.com/otiai10/copy v1.6.0
go: downloading golang.org/x/tools v0.7.0
go: downloading github.com/google/licenseclassifier v0.0.0-20210722185704-3043a050f148
go: downloading gopkg.in/src-d/go-git.v4 v4.13.1
go: downloading golang.org/x/text v0.8.0
go: downloading go.opencensus.io v0.23.0
go: downloading k8s.io/klog/v2 v2.80.1
go: downloading golang.org/x/net v0.8.0
go: downloading golang.org/x/mod v0.9.0
go: downloading github.com/go-logr/logr v1.2.3
go: downloading github.com/spf13/pflag v1.0.5
go: downloading github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
go: downloading gopkg.in/src-d/go-billy.v4 v4.3.2
go: downloading golang.org/x/crypto v0.5.0
go: downloading github.com/sergi/go-diff v1.2.0
go: downloading github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99
go: downloading github.com/emirpasic/gods v1.12.0
go: downloading github.com/src-d/gcfg v1.4.0
go: downloading github.com/xanzy/ssh-agent v0.2.1
go: downloading github.com/mitchellh/go-homedir v1.1.0
go: downloading github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd
go: downloading golang.org/x/sys v0.6.0
go: downloading gopkg.in/warnings.v0 v0.1.2
F0907 07:53:38.225951       1 main.go:77] err: exit status 1: stderr: go: could not create module cache: mkdir /go/pkg/mod: permission denied
make: *** [Makefile:226: .licenses] Error 1
[hi on] jingyuanliang@jingyuanliang:/tmp/go-build-template$

The reason is that without a vendor directory, go-licenses makes .go/pkg/mod, and .go/pkg is not pre-created thus owned by root (created by docker):

[hi on] jingyuanliang@jingyuanliang:/tmp/go-build-template$ ls -l .go
total 12
drwxr-x--- 3 jingyuanliang primarygroup 4096 Sep  7 07:53 bin
drwxr-x--- 5 jingyuanliang primarygroup 4096 Sep  7 07:53 cache
drwxr-xr-x 2 root          root         4096 Sep  7 07:53 pkg
[hi on] jingyuanliang@jingyuanliang:/tmp/go-build-template$

thockin / go-build-template

License scanning (thus container building) fails in non-vendor-ed repo #91